Edimax EW-7438RPn formStats stack-based overflow

Vulnerability

The Edimax EW-7438RPn Extender firmware version 1.31 contains a stack-based buffer overflow vulnerability in the formStats function of the /goform/formStats endpoint [1]. The submit-url parameter is copied directly onto the stack without length checking, allowing an attacker to overwrite the return address [1]. No authentication is required to reach the vulnerable code path [1].

Exploitation

An unauthenticated attacker can send a crafted HTTP POST request to /goform/formStats with an overly long submit-url parameter [1]. The request requires no special network position beyond being able to reach the device and does not require authentication [1]. A proof-of-concept (PoC) has been published showing that a long string of 'a' characters crashes the device [1]. The vulnerability is remotely exploitable over the network [1].

Impact

Successful exploitation allows an attacker to crash the device (denial of service) and potentially achieve arbitrary code execution by controlling the return address [1]. The attacker gains the ability to execute arbitrary commands with the privileges of the affected webs binary, which runs as a privileged process on the device [1].

Mitigation

The vendor, Edimax, was contacted but did not respond [1]. As of the publication date, no official fix or patched firmware version has been released [1]. Affected users should consider isolating the device on a separate network segment, disabling remote management, and monitoring for any future firmware updates [1].